3.1.3 - Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)

Audit

1. First, SSH to the relevant worker node.
2. Enter the following command to check if the Kubelet Service is running:

   sudo systemctl status kubelet

   The output should return Active: active (running) since...
3. Run the following command on each node to find the appropriate Kubelet config file:

   ps -ef | grep kubelet

   The output should return something similar to --config /etc/kubernetes/kubelet/config.json, which is the location of the Kubelet config file.
4. Run the following command:

   stat -c %a /etc/kubernetes/kubelet/config.json

5. Verify that the permissions are 644 or more restrictive.

1. Run a pod that is privileged enough to access the host's file system. To do this, deploy a pod that uses the hostPath volume to mount the node's file system into the pod.
   An example of a simple pod definition that mounts the root of the host to /host within the pod:

   apiVersion: v1
   kind: Pod
   metadata:
     name: file-check
   spec:
     volumes:
     - name: host-root
       hostPath:
         path: /
         type: Directory
     containers:
     - name: nsenter
       image: busybox
       command: ["sleep", "3600"]
       volumeMounts:
       - name: host-root
         mountPath: /host
       securityContext:
         privileged: true

2. Save this to a file (e.g., file-check-pod.yaml) and create the pod:

   kubectl apply -f file-check-pod.yaml

3. Once the pod is running, exec into it to check file permissions on the node:

   kubectl exec -it file-check -- sh

4. Now you are in a shell inside the pod, but you can access the node's file system through the /host directory and check the permission level of the file:

   ls -l /host/etc/kubernetes/kubelet/config.json

5. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.

Remediation

chmod 644 /etc/kubernetes/kubelet/config.json